Cybersecurity measures in the healthcare industry amount to much more than an exercise in “checking the boxes” – they’re about protecting data. And, in this case, the ability to comply frequently impacts life-or-death situations.
We need look no further than the COVID-19 pandemic of 2020 to see why: The World Health Organization (WHO) saw a two-fold increase in cyberattacks during this time. The FBI warned that an Advanced Persistent Threat (APT) was using the Kwampirs Remote Access Trojan (RAT) to exploit healthcare companies and hospital networks, including their industrial control systems. INTERPOL issued a “Purple Notice” – a request for information about modus operandi, objects, devices and concealment methods used by criminals – to send an alert to police in all of its 194 member countries about a spike in ransomware attempts.
INTERPOL’s Purple Notice stated, “Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.”
Human lives are at stake when an adversary can disrupt entire medical systems or even an isolated respirator unit. Yet, as purely amoral as it sounds, this represents the value proposition to the adversary: If he threatens to shut it all down unless a ransom is paid, he knows a hospital will pay – whatever it takes – to keep operations going.
That is why the Health Insurance Portability and Accountability Act of 1996 (HIPAA) plays such a key role in the protection of healthcare data and systems. Through HIPAA, the U.S. Department of Health and Human Services (HHS) has developed regulations that resulted in the “Privacy Rule” and “Security Rule.” The Privacy Rule establishes standards for the protection of certain health information. The Security rule sets standards for the safeguarding of certain health information which is held or transferred in electronic form, i.e., “electronic protected health information,” or (e-PHI). In a universe in which health informational systems and devices are more connected than ever with treatment/operational systems, the need to fortify both has emerged as mission-critical.
To comply with HIPAA, companies that deal with protected health information must have physical, technical and administrative security measures in place and follow them. Anyone providing treatment, payment and operations in healthcare and business who has access to patient information is subject to the standards – including subcontractors and related business associates. Among other safeguards, affected organizations need to demonstrate capabilities in person/entity authentication, transmission security, access/audit control, security management, assigned security responsibility, information access management, incident procedures and training.
However, healthcare organizations have increasingly struggled to both satisfy these standards and defend themselves from cyber attacks: Complaints about HIPAA violations have risen sharply in recent years, with 28,261 in 2019, up from 25,912 in 2018, according to the HHS Office for Civil Rights (OCR). There were more than 572 data breaches reported to OCR, the media and other sources in 2019, up from 503 in 2018.
Based upon its analysis of nearly 41,700 security incidents and more than 2,010 breaches, the 2019 Verizon Data Breach Investigations Report (DBIR) indicates that the healthcare industry accounted for 466 of those incidents (ranked #6 among all sectors) and 304 of the breaches (second overall, behind only the public sector). In addition, for the ninth year in a row, healthcare organizations suffered the highest average cost of a data breach at $6.45 million – 65 percent greater than the $3.92 million global average for all industries, according to the 2019 Cost of a Data Breach Report from the Ponemon Institute and IBM. The criticality of the information to effectively treat patients drives the cost. Cyber criminals know this information, and use it to exploit healthcare organizations.
Driven by the digital transformation, cloud migrations are adding to the complexities of data protection and compliance: By the end of this year, industry organizations will deploy one-half of their healthcare information technology (HIT) workloads in the cloud – up from 21 percent in 2018, according to a survey from the Healthcare Information and Management Systems Society (HIMSS). Yet, with the average healthcare organization uploading 6.8 TB of data to the cloud each month (which is more than one TB greater than the equivalent of all of Wikipedia’s archives), 93 percent of the industry’s cloud services are at medium to high risk, according to McAfee. It doesn’t help that healthcare providers spend just 5 percent of their IT budgets on security, which is well below the 7.3 percent that the banking/financial services sector spends, according to research from Gartner.
At Caveonix, we have dedicated ourselves to helping healthcare organizations readily comply with HIPAA, thus enabling them to better defend their data and systems – whether on-premise or in the cloud. Caveonix RiskForesight implements continuous compliance of controls critical to protecting workloads and exceeding HIPAA requirements. Caveonix continuously reports on effectiveness across infrastructure and applications. The solution performs thousands of checks mapped to HIPAA’s safeguard controls, tracking and reporting adherence to HIPAA requirements and determining the impact of vulnerabilities and configuration changes to our customers’ secure compliance baseline. RiskForesight detects compliance drift, intelligently analyzes risk and provides recommendations to bring applications back into compliance.
RiskForesight distinguishes itself because it delivers an ongoing, continuous evaluation of where our customers stand, identifying and assessing compliance and risk wherever their data exists. The Caveonix team firmly believes that, if you can see it, you can quantify it. And if you can quantify it, you can apply the governance required to incorporate effective controls. We understand that HIPAA is about more than “checking boxes” – it’s about successfully managing risk and protecting information which will help save lives and make sick people feel well again. If you’d like to discuss how we can work together to solve your compliance/cybersecurity problems, then please contact us.